INTRODUCTION

What are mobile devices?

Handheld or notebook-sized devices that can be used to store or send information, or connect to the Internet. Examples include smartphones, PDAs, tablets, etc.

Why should they be protected?

Every day, mobile devices are lost, stolen, and infected. Assume for a moment that your mobile device has been stolen. What would you do?

What stored data was stolen? (think about both work and non-work)

What stored passwords were stolen?

What other accounts and services might have been compromised? (Dropbox, shopping, credit cards, bank accounts, work accounts, Facebook, ...)

Did you lose your only copy of anything important?

Mobile devices are computers, too.

These devices can store important business and personal information, and may be used to access University systems, email, banking information, work and personal accounts. Where this is the case, they need to be protected like any other computer.

Lost or stolen devices used for work:

Important: Report the loss or theft of devices used for work to the ITS Support Center (info below) so they can help identify and address potential compromised accounts or data, including compromised restricted data, which requires additional action on the part of the University. See the lost/stolen device checklist below for additional steps to take.

Protecting mobile devices:

A good rule of thumb is not to store anything you're not willing to lose or share with the world. This said, following are some steps you can take to help protect information on these devices. Some of these steps may require additional configuration/setting changes:

Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity -- but still don't store anything you're not willing to lose.

Set it to automatically lock after a short period of inactivity.

Keep it with you or lock it up securely before you step away -- even just for a second. See Physical Security for more information.

Don't store sensitive information. Encrypt your device or sensitive contents if you do. See below for a special note about restricted data.

Don’t store passwords unless they’re encrypted.

Run current, up-to-date versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.

Mobile devices can be just as susceptible to viruses as desktop and laptop computers. Use anti-virus/anti-malware software, if it is available for your device, and set it to auto-update as frequently as the settings will allow.

If your mobile device has built-in firewall or access control functionality, these features should be activated. Default settings are typically acceptable for most people.

Avoid using auto-complete features that remember user names or passwords.

Turn off unnecessary services:

Disable or remove applications (apps) and plug-ins that you don't actively use

Disable Bluetooth, wireless & IrDA (infrared) when you're not actively using them

Turn off GPS and geotagging when you're not actively using them. These can allow your location to be tracked without your knowledge.

Periodically go through the device's list of allowed wireless services and delete ones no longer needed (usually found under network, wireless, or airport settings)

Set devices to “ask” before joining wireless networks (see below for more information about wireless).

If your device has a web browser, set the browser to block pop-ups. For added privacy, also set the browser to limit the cookies it accepts. For example, some devices let you set the browser to accept cookies only from sites you visit.

Make sure you have a secure (encrypted) connection before working with sensitive data.

Use known, encrypted networks, such as UCSC’s EDUROAM SECURE WIRELESS and CAMPUS VPN (virtual private network), available to UCSC students, researchers, faculty, and staff (also see below for more about eduroam, Campus VPN, and wireless).

Make sure web pages have https (not http) in the web address (URL). The “s” stands for “secure" and tells you that the information you enter is being encrypted as it is sent. Look for this before logging into anything.

Coffee shop/hotel/airport-type wireless is not encrypted.

If you’re not sure, assume it’s not secure.

A special note about wireless, eduroam, and Campus VPN:

Wireless:Information sent via standard wireless is especially easy to intercept. To protect yourself:

As mentioned under "Protecting mobile devices" above, set devices to “ask” before joining wireless networks.

For additional information about home wireless security, see the Home Wireless Security page at onguardonline.gov

eduroam: eduroam (education roaming) is a secure, encrypted, world-wide roaming wireless service developed for the international research and education community. It is available on the UCSC campus and allows UCSC students, researchers, faculty, and staff to obtain secure Internet connectivity across campus and when visiting other participating institutions with their laptop or supported mobile devices. See http://its.ucsc.edu/wireless-secure/ for information and set-up instructions.

Campus VPN:UCSC's Campus VPN (virtual private network) encrypts your Internet traffic and provides a secure (encrypted) connection to the UCSC network from off campus. The Campus VPN is available to all campus members with a CruzId and Gold password. See http://its.ucsc.edu/vpn/access-vpn.html for information and set-up instructions.

Related Resources:

Use of Free Services: Guidance when Considering Free or Low-Cost Non-UC Technology Services

"Free and low cost technology services" are computer-related services that you can sign up for online for free or nearly-free. You must take privacy and security into consideration when making decisions about when it is and is not appropriate to use these services. more...